jm + dpkg   2

Attacks against GPG signed APT repositories - Packagecloud Blog

It is a common misconception that simply signing your packages and repository metadata with GPG is enough to create a secure APT repository. This is false. Many of the attacks outlined in the paper and this blog post are effective against GPG-signed APT repositories. GPG signing Debian packages themselves does nothing, as explained below. The easiest way to prevent the attacks covered below is to always serve your APT repository over TLS; no exceptions.


This is excellent research. My faith in GPG sigs on packages is well shaken.
apt  security  debian  packaging  gpg  pgp  packages  dpkg  apt-get  ops 
12 days ago by jm
Red Hat on rkt vs Docker
This is like watching a train-wreck in slow motion on Groundhog Day. We, in the broader Linux and open source community, have been down this path multiple times over the past fifteen years, specifically with package formats. While there needs to be room for experimentation, having two incompatible specs driven by two startups trying to differentiate and in direct competition is *not* a good thing. It would be better for the community and for everyone who depends on our collective efforts if CoreOS and Docker collaborated on a standardized common spec, image format, and distribution protocol. To this end, we at Red Hat will continue to contribute to both initiatives with the goal of driving convergence.
rkt  docker  appc  coreos  red-hat  dpkg  rpm  linux  packaging  collaboration  open-source 
may 2015 by jm

Copy this bookmark:



description:


tags: